Experts are warning ' 
about viruses in 
infected attachments 

BY DAVID L. WILSON 

Mercun- Xeu s \Vs &hi iig'ton B i: i ea a 

WASHINGTON — The hoUday season is often a 
tiine when computer users pass ai-ound aniusiiig 
electronic aiiiniaiions \ia e-niaiL Although most of te^jJJr- 
these attaclnuents are hamiless, some may hide l^I^X-^ 
destructive computer virus- 
es. 

Indeed, aiiti-\li-us watch- 
dogs identified a new \irus 
this week that masquerades 
as an innocuous bimch of 
digital photos but actuaUy 
plants a time bomb tl\at vM 
erase the computer's hai-d 
drive on Jm 1,2000. 

Because tliat's the same 
date tiiat the Y2K bug is ex- 
pected to cause many comput- 
er systems to crash, the vinis 
miglat fool users into belie\ang 
they have a y2K problem. 

Virus fighters expect more 
viruses linked to Y2K to 
emerge as Jan. 1 approaches, 
and they are once agaiir beg- 
ging computer users to avoid to emerge as 

opening e-raailed attach- ' 

ments. jan, 1 

"We're telling people to be 

very wary of electronic Christ- approaches, 
mas cards/' said Sal Viveros, a 
virus expert ^vith Network As- 
sociates Inc. , based in Sarita Clara. 

The Mypics worm, as tliis latest threat is called, 
arrives attached to what appeai-s to be e-mail from 
a ftiend or associate tiiat says, "Here's some pic- 
tures for youl" 

Openiiig the attached file, Pics4You.exe, will in- 
fect your computer \^ith the vinis, wliich ^viil at- 
See VIRUSES, Page 3C 
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tempt to mall itself to 50 people it 
^ finds iri your Microsoft OuUook e- 
. mail address book. It will also 
change tlie hon\e page of year 
crosoft Inl eniet Explorer Web 
browser to a pomograpWc site. 

Hie real damage occurs Jojl 1, 
when tJio \iins uiH cliange the com- 
puter's most basic softw^ire aiKi at- 
tempt to era^e the hard dn\*e. 

The inci easing frequency of ;\lci1s 
relating to ihijigs like electronic \i- 
ruses IS pioinpttng renewed calls for 
safe computi'ig, but few ex])erts ex- 
I>ect uber^^ to change their habits. 

"It \N'oukl be gieat if e\er\body 
followed the lule. Never Ojien e-mail 
attachments if }-ou can help it," said 
Carey Naclienbergj chief rescaicher 
at Symaiitcc's aiiti-Mnil research 
center. "But I don't tlilnk they will." 

In genend, just looking at an infec- 
ted e-niaj] ciin't hurt: users ha\c to 
do soiiiethmg else to acti\ate the vi- 
ms and infect theu' system. 1\pic al- 
ly, a vinis comes iis an attaclmient to 
e-mail, sucli as a document that can 
be read only with a word processor 
like Microsoft Word. 

Clicking on the attaclnnent to 
read the document can mfect the us- 
er's maciune witli any viiiis that w 
lurking on tlie senders macliine. A 
virus is dangerous because it can al- 
ter or destroy data 

Until recently, ex-peits advised us- 
ers to simply a\'oid openmg aUach- 
ments sent by people they didn't 
know. Unfortimately, Uie most trou- 
blesome \inises today spread by 
fooling people into believing the 
document was sent by a friend. 

For instance, Mv^pics attempts to 
mail copies of itself to anyone in the 
user's e-mail address book. Anyone 
receiving such a ntissive from, say, 
their brotlier, might open that at- 
tacliment ivitJiout tliinking about it 

Most software vendors are aware 
of tiie problem and take steps to get 
arom^d it For iiistancej Blue Moun- 
tain Alts, a pmveyor of electronic 
greeting cards, doesn't send tlie card 
via e-mail, just a Web address, w liich 
can be accessed tiiough any brows- 
er. 

Jaied P. Schu tz, the company's ex- 
ecutive director, said that's tl\e only 
way to be safe. "I would higlily rec- 
ommend tiiat people avoid opening 
attached files, even from people that 
tlieyknovv," he said. 




A:computer i/ims for Christmas . 

Many computer viruses travel as innocent-fooking files attached to - 
electronic mat!. With the holiday season upon us; people often e-mail 
electronic greetings and photographs to friends and family members, 
but not every file that comes with an e-mail is safe.This year poses 
special hazards, according to anti-virus experts, because many Virus 
writers may use the Y2K bug to hide their mischief.This week, anti- 
virus companies detected a new virus, named Mypics, that could 
' erase a computer's hard drive on Jan, 1. ^ - 

WORM ARRIVES 
You getan e-meil with an 
attachment named Pics4You.exe 
saying. "Here's some pictures for 
your 



mm REPRODUCES 

!f you open the attachment the worm 
will send itself to 50 people in your 
Microsoft Outlook address bock. It 
also changes the home page of your 
Microsoft Internet Explorer browser 
to a pornographic Site. 



V;OKM WAITS 

On Jan. 1, 2000, the worm will ovenvrite 
key system data. The user will ses an 
apparent y2K-reIated error when 
starting up the computer. The worm will 
then destroy ail data on the hard drive. 



HOW TO PROTECT YOURSELF 

Avoid opening attachments to e-mail if possible, if you want the attachment 
call the sender and verify its contents before opening it. Update virus 
protection software weekly and use it to scan attachments. Back up critical 
data regularly. 



Source: Symantec Corp 

Tliat's the stand ai*d advice, but no- 
body expects artaclunents to disap- 
pear tonioirow, despite the ^^-a^^- 
mgs. 

"I can't tell you w hetlier \ve'\ e still 
got a lot of people wiio just haven't 
gotten tlie message — newbies ~~ or 
whetlier it's people ^vho should 
know better but do it aiiyway," said 
Sandra Sparks, director of the Ener- 
gy Department's Computer Incident 
Ad\1sory Capability, which \\'orks to 
ensure tiie secujity of govenunent 
computer systems. "Maybe it's tiie 
same kiiid of thing that happens 
people who don't wear a seat belt.'' 

Although many corporations scan 
all incoming e-it\ail and destroy any 
kno^vn viins before it's delivered m- 
to an employee's mailbox, very fe^v 
Internet senice providers offer such 
a feature, largely because exaimning 
every single data packet titat flows 
into the pipes cait slow ser\''lce- 

So for now, anti-vhxis protectioi\ 
is largely tlie responsibility of indi- 
viduals. 

To protect agaiiist all viruses, ex- 
perts say \iRis protection softwaie 
should be updated weekly. 



Attaciiments genei^ally should be 
avoided. If you receive an attach- 
ment tliat you want, contact tlie 
sender and ask if it was deliberately 
sent If possible, ask tliat the infor- 
mation in the attachment be copied 
and pasted into a plain e-mail file 
and resent, or posted on a W'eb page. 

If that's not possible and you must 
open tiie attachment, make sure it's 
scanned firet witli an updated anti-\ i- 
ral program. 

Even With such precautions, it's 
still possible for a ne^v, fast-mo\4ng 
virus to get tlirough your defenses. 
Tlie only real piotectiou users have 
is to regularly make copies of the da- 
ta on their hard drive. 

"Back up yoiir critical stxiff at 
least once a week," said Sparks. "I 
know that's annoying, and I \mo\v it 
takes tune. But compare Uiat 
amount of time vs. the amomit of 
tune you'd spend trying to rebuild 
your system, or your company, and 
that's a very small investment *' 

Contact David Wilson at (202) 

383-6020 or at 

divUson (^sjiiiefrwi-y. corn. 
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step 1: 

A first computer 203 loads and executes 
the first program which extracts a 
set of e-mail addresses from the 
e-maii system 205 thereby creating 
a list of e-mail users 206. 




< > 
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Step 2: 

The first computer 203 loads and 
executes the second program that 
sends the list of e-mail users 206 
to a second computer 208. 
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step 3: 

The second computer 208 loads and 
executes the third program that: 

specifies within the mock computer virus 
attachment 202 the e-mail 
address of the third computer 210 
as the recipient of the e-mail that is sent 
if the mock computer virus attachment 202 
is opened. 

sends the list of e-maii users 206 to 
the third computer 210. 



and sends an e-mail with the mock 
computer virus attachment 202 
to each e-mail address on the list i.e. 
each user 21 1 . 
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Step 4: 

The third computer 210 loads and 
executes the fourth program which 
receives the e-mails from the 
users 21 1 that open the mock 
computer virus attachment 202 
and creates a new list of e-mail 
users with their respective e-mail 
addresses. 

The new list of e-mail users that 
opened the mock computer virus 
attachment 202 and those that did 
not open it, may be displayed as 
results 212 on a web page 214 or 
other report on the network. 
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step 1: 

An e-mail user behavior 
modification server 301 
provides a program 302 
that can be downloaded to 
a computer 303. 




Computer 303 



Program 302 



E-mai! System 305 




E-mail User Behavior 
Modification Server 301 



Administrator / 
Management 310 



Step 2: 




The program 302 extracts a Computer 303 E-mail System 305 

list of e-mail addresses 304 
from the e-mai! system 305. 



E-mail User Behavior Administrator / 

Modification Server 301 Management 31 0 
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step 3: 

The program 302 sends the 
list of e-mail addresses 304 
from the computer 303 
to the e-mail user behavior 
modification server 301 . 




Connpu^e^ 303 
List of 
E-mail 
Addresses 
304 
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Step 4: 

The e-mail user behavior 
modification server 301 sends an 
e-mail with the mock computer virus 
attachment 306 to each e-mail 
address on the list i.e. each user 307. 
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E-mail System 305 
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step 5: 

The mock computer virus attachment 306 

wiil send an e-mail to the e-mail 

address of the e-mail user 

behavior modification server 301 

if the mock computer virus attachment 306 

is opened. 



The e-mail user behavior modification 
server 301 receives the e-mails from 
users 307 that open the mock computer 
virus attachment 306 and compiles a list 
of users 308 that opened the mock 
computer virus attachment 306. 
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Step 6: 

The list of users that opened 
the mock computer virus attachment 306 
and the users that were sent the e-mail 
with the mock computer virus attachment 306 
but did not open it are displayed as 
results 308 on a web page 309 or 
sent as an e-mail to the administrator / 
management 310. 
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step 1: 

An e-mail user behavior 
modification server 401 
provides a program 402 
that can be downloaded to 
a computer 403. 



E-mail User Behavior 
Modification Server 401 



Program 402 



E-mail System 405 





Computer 403 



Administrator / 
Management 410 




Web Page 409 



Step 2: 



The program 402 extracts a 
list of e-mail addresses 404 
from the e-mail system 405. 




Computer 403 Management 41 0 
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step 3: 

The computer 403 sends an 
e-mail with the mock computer virus 
attachment 406 to each e-mail 
address on the list i.e. each user 407. 



E-mail User Behavior 
Modification Server 401 



E-maii System 405 




Computer 403 
E-ryfeil 



I with 



Computer Virus >Utachme\t 406 



the Mock 



Q^L 
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User 407 




Administrator/ 
Management 410 
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Step 4: 



IVIO( 



The mock computer virus attachment 406 
will send an e-mail to the e-mail E-maii User Behavior 

address of the e-mail user Modification Server 401 

behavior modification server 401 
if the mock computer virus attachment 406 
is opened. 



The e-mail user behavior modification 
server 401 receives the e-mails from 
users 407 that open the mock computer 
virus attachment 406 and compiles a list 
of users that opened the mock 
computer virus attachment 406. 



E-mail System 405 





Computer 403 



Opened mock computer 
virus attachment 406 



Administrator / 
Management 410 
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Step 5: 

The list of users that opened E-mail User Behavior 

the mock computer virus attachment 406 Modification Server 401 
and the users 407 that were sent the e-mail 
with the mock computer virus List 
attachment 406 but did not open it 
are displayed as results 408 on a 
web page 409 or sent as an e-mail to 
the administrator / management 410. 



E-mail System 405 





Computer 403 
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Drawing 5 
step 1: 



A first computer 503 loads and executes 
the first program which extracts a 
set of e-mail addresses from the 
e-mail system 505 thereby creating 
a list of e-mail users 506. 



The first computer 503 informs 
the fourth computer 515 
of the number or type of 
e-mail addresses 516 it 
extracted. 




List of E-mail Users 505 




First Computer 503 



E-mail System 505 



bar or 
of E-mail 
addresses 516 




Second Computer 508 



Third Computer 510 



Fourth Computer 515 
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Step 2: 

The first computer 503 loads and 
executes the second program that 
sends the list of e-mail users 506 
to a second computer 508. 



The fourth computer 515 
gives authorization 517 to the 
first computer 503 to send 
the list of e-mail users 506 
to the second computer 508 



Third Computer 510 



Fourth Computer 51 5 



£L Oyi QM 
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